Privacy Impact Assessments

Administrative Procedure: 179

PRIVACY IMPACT ASSESSMENTS

Background
The District is responsible for ensuring that it protects the Personal Information within its custody and control, including by complying with the provisions of the Freedom of Information and Protection of Privacy Act (“FIPPA”). FIPPA requires that the District conduct a Privacy Impact Assessment (“PIA”) to ensure that all collection, use, disclosure, protection and processing of Personal Information by the District is compliant with FIPPA.

A Privacy Impact Assessment (PIA) is an in-depth review of any new or significantly revised initiative, project, activity, or program to ensure that it is compliant with the provisions of FIPPA, to identify and mitigate risks arising from the initiative and to ensure that the initiative appropriately protects the privacy of individuals.

The purpose of this Procedure is to set out the District ’s process for conducting PIAs in accordance with the provisions of FIPPA.

Procedures
1. Scope & Responsibility
This Procedure applies to all new and significantly revised Initiatives of the District.
All employees of the District are expected to be aware of and follow this Procedure in the event that they are involved in a new or significantly revised Initiative.
Departments and management employees are responsible to plan and implement new or significantly revised Initiatives in accordance with the requirements of this Procedure.

2. Definitions
2.1 “Employees” means the employees, contractors, and volunteers of the District.
2.2 “Head” means the Secretary-Treasurer of the District or any person to whom the Secretary-Treasurer has delegated their powers under this Procedure.
2.3 “Initiative” means any enactment, system, project, program, or activity of the School District;
2.4 “Personal information” means any recorded information about an identifiable individual that is within the control of the District and includes information about any student or any Employee of the District. Personal Information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work.
2.5 “PIA” means a Privacy Impact Assessment performed in accordance with the requirements of FIPPA;
2.6 “Privacy Officer” means the person who has been designated by the Head as the Privacy Officer for the District.
2.7 “Responsible Employee” means the Department Head or other Employee who is responsible for overseeing an Initiative, and in the event of doubt, means the Employee designated in the PIA as the Responsible Employee.

2.8 “Supplemental Review” means an enhanced process for reviewing the privacy and data security measures in place to protect sensitive Personal Information in connection with an Initiative involving the storage of Personal Information outside of Canada.

3. Responsibilities of the Head
The administration of this Procedure is the responsibility of the Secretary Treasurer, who is the “Head” of the District for all purposes under FIPPA. The Head may delegate any of their powers under this Procedure or FIPPA to other School District Employees by written delegation.

4. Responsibilities of the Privacy Officer
The Privacy Officer is responsible to, in consultation with the Head, ensure that all PIAs and Supplemental Reviews are completed in accordance with the requirements of FIPPA and this Procedure.

5. Responsibilities of All Employees
5.1 Any Employees responsible for developing or introducing a new or significantly revised Initiative that involve or may involve the collection, use, disclosure, or processing of Personal Information by the District must report that Initiative to the Privacy Officer at an early stage in its development.
5.2 All Employees involved in a new or significantly revised Initiative will cooperate with the Privacy Officer and provide all requested information needed to complete the PIA.
5.3 All Employees will, at the request of the Privacy Officer, cooperate with the Privacy Officer in the preparation of any other PIA that the Privacy Officer decides to perform.

6. The Role of the Responsible Employee
6.1 Responsible Employees are responsible for:
6.1.1 ensuring that new and significantly revised Initiatives for which they are the Responsible Employee are referred to the Privacy Officer for completion of a PIA;
6.1.2 supporting all required work necessary for the completion and approval of the PIA;
6.1.3 being familiar with and ensuring that the Initiative is carried out in compliance with the PIA; and
6.1.4 requesting that the Privacy Officer make amendments to the PIA when needed and when significant changes to the initiative are made.

7. Initiatives involving the Storage of Personal Information outside of Canada.
7.1 Employees may not engage in any new or significantly revised Initiative that involves the storage of Personal Information outside of Canada until the Privacy Officer has completed and the Head has approved a PIA and any required Supplemental Review.
7.2 The Responsible Employee or Department may not enter into a binding commitment to participate in any Initiative that involves the storage of Personal Information outside of Canada unless any required Supplemental Review has been completed and approved by the Head.
7.3 It is the responsibility of the Privacy Officer to determine whether a Supplemental Review is required in relation to any Initiative, and to ensure that the Supplemental Review is completed in accordance with the requirements of FIPPA.
7.4 The Head is responsible for reviewing and, if appropriate, approving all Supplemental Reviews and in doing so must consider risk factors including:
7.4.1 the likelihood that the Initiative will give rise to an unauthorized, collection, use, disclosure, or storage of Personal Information;
7.4.2 the impact to an individual of an unauthorized collection, use, disclosure, or storage of Personal Information;
7.4.3 whether the Personal Information is stored by a service provider;
7.4.4 where the Personal Information is stored;
7.4.5 whether the Supplemental Review sets out mitigation strategies proportionate to the level of risk posted by the Initiative.
7.5 Approval of a Supplemental Review by the Head shall be documented in writing.

8. Contact Information
Questions or comments about this Policy may be addressed to the Privacy Officer.

9. Related Acts and Regulation
School District and Institute Act
Freedom of Information and Protection of Privacy Act (FIPPA)

10. Supporting References, Policies, Procedures and Forms
Privacy Policy

Procedure 179